Some budget Android phones are secretly sending user data to servers in China

Update: ZTE USA has responded with an official statement. “We confirm that no ZTE devices in the U.S. have ever had the Adups software cited in recent news reports installed on them, and will not. ZTE always makes security and privacy a top priority for our customers. We will continue to ensure customer privacy and information remain protected.”

Update 2: Here's Huawei's official reponse. "Huawei takes our customers' privacy and security very seriously, and we work diligently to safeguard that privacy and security. The company mentioned in this report is not on our list of approved suppliers, and we have never conducted any form of business with them."

A newly-discovered piece of software running in an unknown number of budget Android phones is reportedly sending user location data, text messages, and call logs to a server in China every 72 hours. First discovered by Security firm Kryptowire and reported by the New York Times, the backdoor is said to be there intentionally and not due to a security flaw, though at this point it’s unclear if the data is being collected for advertising purposes or if it is and actual governmental effort at surveillance.

The software was developed by a Chinese company called Shanghai Adups Technology Company, which claims to have software running on more than 700 million, mostly low-end devices Android devices. Among its customers are Chinese giants like Huawei and ZTE, and at least US Android manufacturer, BLU Products, has confirmed that 120,000 of its phones are affected and it’s taken steps to remove it.

Kryptowire noted that the software and its behavior managed to bypass mobile anti-virus protection because it ships with the device and is not assumed to be malware. A security researcher for the company stumbled upon the issue after buying an inexpensive BLU R1 HD phone for an overseas trip and noticing “unusual network activity” during the phone’s setup process.

The software was allegedly written and used with the intent of assisting with customer support for an unnamed Adups client. A representative from the Chinese software company characterized the inclusion of this backdoor in other phones as “a mistake” and denied any government involvement.

Google for its part has requested Adups to remove the surveillance software from any phones that run services like the Google Play store. Adups has not published a list of affected phones, however, so it is not clear how users can determine whether their phones are vulnerable.